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Abstract:- Security for an electronic device such as laptops, 
palmtops, smart phones, even locks in doors are either digitized by 
numbers or by patterns. Magnetic strip cards are common use for 
electronic payments and cash withdrawals. They can be easily used 
by swiping them through additional card readers. These passwords 
while used in public are unaware of human shoulder surfers who 
can easily identify the password. Cryptographic prevention 
techniques are hardly applicable because human users are limited 
in their capacity to process information. There have been 
alternative approaches considering asymmetry between user and 
system. In this paper, we propose a new method by which even 
using a recording device any surfer can't identify the password. A 
new technique is presented for secure personal identification 
number entry analyzing existing method under new framework. 
Effective PIN entry method is used to prevent the attackers by 
increasing the amount of short term memory required in attack. 
Methods proposed in this paper are 2-colored(BW), semi-4 
color ed(improved BW), pattern fixing(secret key). 

Key Terms: Human shoulder surfer, Personal Identification 
number, 2-colored, Semi 4-colored, Pattern fixing, Insidious 
advertence, Comprehensive grouping. 

I INTRODUCTION 

Personal Identification Number is commonly used in 
various situations such as performing transactions in ATM, 
approval for transaction, unlocking the phone, locking 
individual app in phone. This PIN entry is being viewed by 
person nearby in public places. This kind of attack is threat to 
the use of PIN in public places for an emergency transaction. 
Pin hole cameras and skimmers are used as an external device 
for getting user information such as PIN number , card 
details. These device presence can't be identified by a 
common user. 

To overcome this problem, a new method namely 2 
color method(black and white) is used. This method has a 
disadvantage of using in a place with recording device such 
as cameras. This method has a disadvantage of using in a 
place with recording device such as cameras. Another secure 
PIN entry method used is semi-4 colored method wherein 
even a recording device cannot identify a single digit of PIN. 
Pattern matching method is used wherein colors are replaced 



by special symbols. This may be little time consuming but 
very secure than other methods. 

Four criteria should be considered for the design of 
PIN entry method: 
S Safety 

S Functionality(Time to enter and fault entry) 
S Consistent 

S Charge Effectiveness(no extra hardware) 

2 colored method is still considered secure against 
human opponent due to limited power of knowing . 
Rationale 1: Opponent power of knowing and advanced 
skills are never considered. 

Rationale 2: There does not exist formal procedure and 
quantity tool for analysis and comparison. 

From the rationales mentioned, four contributions 
are made: 

1. Develop a new method against the power of knowing 
called insidious advertence shoulder surfing to avoid 
attention and comprehensive grouping. 

2. First use of static measurement of performance. 

3. Considering 2 colored method as insecure. 

4. Develop a defense technique. 

Most of the shoulder surfing resistant PIN entry use 
the fact that the capacity of short term memory and real time 
processing performance of a human are very limited. User is 
provided with random challenges. 

II PRELIMINARIES 

A. Threat Model 

User has to enter PIN value after which it is 
authenticated according to the registered PIN entry or 
otherwise rejected. This paper mainly focuses on weaker 
threat model. Surfer tries to observe the PIN value being 
entered but there is no recording device like camera. 2 
colored method is considered secure in weaker threat model. 

B. Security opinions for PIN entry methods 

i. Guessing attack : 

In Guessing attack, attacker guesses user 
PIN and inputs it to pass the test. They use the fact that 
distributions of PIN passwords are not uniform. Number of 
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attempts to guess the PIN value may be reduced and a 
random check is performed. 

ii. Shoulder Surfing attack : 

In shoulder surfing attack, attacker 
observes the PIN entry by looking over the user's shoulder 
and tries to find it. Opponent surfs multiple times with the 
user unaware of the attacks. 

C. Related Work 

Many research results have been presented. Yang 
Xiao (Yang Xiao, 2014) [13] proposed differentiated 
password scheme where the user has the freedom to choose 
virtual password ranging from weak to strong security. 
Viberpass (A.Bianchi I. , 2011)uses visual and haptic 
challenges. When the phone vibrates , user enters a false 
character through a standard keypad. If the phone remains 
quiet, user enters correct one. Yi-Lun (Yi-Lun Chen, 2013) 
(P.Dunphy, 2010) [14,5] proposed a simple text based 
graphical password. Justin Weaver and Kumar (Justin 
Weaver, 2011) (M.Kumar, 2007)[7,9] proposed Eye Dent 
system in which gaze points are automatically clustered to 
determine user's selected symbols. 

SSSL (T.Perkovic, 2009) [11] uses visual and audio 
challenges to enter PIN with reduced digit space. Bianchi 
(A.Bianchi I. K., 201 2) [2] proposed uni -modal models in 
which passwords are encoded as sequence of vibration 
patterns without any visual information. 

The design of PIN entry authentication system is 
based on multi-modal combinations of visual and non- visual 
content. Use of novel methods including audio cues, haptic 
cues and modulated visible light is proposed in counting 
clicks and beeps (A.Bianchi I. , 2011) (A.Bianchi I. K., 
2012)[2,3]. Color PIN (A.D.Luca, 2010)[10] redefines a PIN 
such that PIN digit is a combination of number and a color. 
Phone lock (A.Bianchi I. , 201 1)[3] and Time lock uses 
secondary channels. 

Phone lock displays a graphical wheel with ten 
sectors. Time Lock uses PIN digit among 1..5. Switch 
PIN(A.D.Luca, 2010)[10], an effective PIN entry method is 
proposed by rendering a random mapping between 
switchable keypads. Passive adversaries are those that can 
passively monitor, intercept, analyze every part of the 
authentication procedure, except for the initial secret shared 
between the user and the system. To overcome this a new 
predicate based authentication service, PAS is introduced 
(X.Bai, Dec 2008)[1]. 



Ill PROPOSED SCHEME 

A. Architecture Diagram 




B. User Registration 

User enters his basic details in an android 
application and once if he gets registered he is able to access 
his application in mobile phone. Once the user registration is 
completed, they will be provided with a unique PIN sent to 
their respective mail ID. Once it got validated user will be 
able to access application by entering username and password 
chosen at time of registration. 
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Fig . 1 : User registration and login 



C. 2-colored method (BW) 

In this method regular keypad with digits 0 - 9 are 
equally split with 2 colors, half with black and half with 
white into two random halves. Each number is selected 
according to user key entry in each round. If the selected 
halves are memorized or written on paper and recalled to 
derive their grouping patterns, the shoulder surfer could 
identify a single digit of PIN. Even a recording device helps 
in identifying single PIN. In each round, regular numeric 
keypad is colored at random. User knows the correct PIN 
digit and can answer its color by pressing the separate key for 
black and white placed below. A common 4-digit PIN 
requires 4-5 iterations. 

Demerits/Insecurity of 2 colored method: 
S Static based analysis 

S Reduce the number of visual things stored in short 

term memory 
S Perform parallel motor operations 
S Comprehensive grouping 

D. Semi-4 colored method (Improved BW) 

A set of 4 colors is {blue, black, white, yellow} 
used. A numeric keypad of ten digits is displayed with two 
split colors in each numeric key and separate keys for four 
colors placed below. A color is chosen at random which 
could be either upper or lower one from the numeric keypad 
and is entered through the separate color key. This procedure 
is repeated for m rounds such that all the digits of PIN is 



identified by union and intersection. This method has the 
main advantage that even a recording device couldn't find any 
of the digit. Exactly 4 iterations are only performed for each 
digit. 

Algorithm: Semi-4 colored PIN Entry: pseudo code using 
union and intersection 

A,B <- y(n(A)) ^primary sets: A,B,C,D7 

C,D <- y(7i(A)) 

0,P^ (0, 0) ^eliminated sets: 0,P,Q,R7 

Q,R <- (0, 0) 

for i = 1, • • • ,m do 

a, b, c, d<— p(P) 

display (A U P and B U O) and (C U R and D U Q) 
input choice s a, b, c, d 
if choice = a then 

Q,R <- y(7r(0 U P U B)) 

0,P^ y(7r(0 U P U B)) 

CD <- yO(A)) 

A,B <- yO(A)) 
else if choice = b then 

Q,R <- y{n(0 U P U A)) 

0,P^ y(7r(0 U P U A)) 

C,D^y(7r(B)) 

A,B^y(7r(B)) 
else if choice = c then 

O, P <- y(7t(Q U R U D)) 

Q,R <- y(7r(Q URUD)) 

A,B^y(7r(Q) 

CD^y(it(Q) 

else 

O, P <- y(n(Q U RU Q) 
Q,R <- 7«Q U R U O) 

end if 

end for /^*for loop runs for m rounds^ 
return A {*& single digit is identified^ 

E. Pattern Fixing method 

This method is basically different from above 
methods wherein instead of using color combinations, special 
symbols are used such as %,@,+,#. It consists of 4 rounds. 
The first round is decision of special symbol and remaining 
three are fixing the special symbol to the corresponding PIN 
values. The symbols are randomly arranged which is 
displayed to the user. The user selects a symbol at random to 
be the pattern for session. Once the symbol is selected, it can 
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be positioned to each corresponding digit of PIN by moving it 
up or down using the buttons 'up' and 'down'. 
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Fig. 2(c) Pattern Fixing Fig.2(d)Services of ATM 



withdrawal, deposit and fund transfer. This can be done 
securely using the concept of virtual money. 



IV RESULTS AND DISCUSSION 

In this paper, a new security notion method is 
introduced and presented in theoretical and experimental 
technique to analyze security. The design for new security 
conviction method is devised using meaningful guidelines. 
Based on this guidelines, a PIN entry method is developed 
that has advanced security against human shoulder surfing 
attacks. 

Even the proposed method is an effective counter 
measure against human shoulder surfing attacks, it cannot 
prevent recording attack. It is better to warn the users not to 
use this method in place with recording device. The weakness 
of 2-colored method in achieving both security and usability 
is truly challenging and prone to erroneous design due to lack 
of formal treatment. 

Static based analysis of 2- colored method is 
compared with semi 4 colored method where four colors are 
shuffled at random in each iteration. PIN entry time of normal 
user varies for each method and is compared for n number of 
trails and participants. 

V FUTURE WORK 

The future work is to develop a new usably secure 
authentication method based on abundant evidence. Measures 
for preventing shoulder surfing attacks can in near future 
implemented in iPhone locks, door locks and even securing 
individual application of any android phones. Rather than 
Android OS, these methods are made to be implemented in 
any OS. Also, to quickly the hackers accessing the password, 
capturing their images through front camera is suggested. 



F. Authentication and Services 

Once the initial registration gets completed, the user 
gets a unique PIN number in his mail. The user can then enter 
the PIN number using any one of the methods mentioned 
above. Once entered, PIN is checked with the local database 
provided by Android OS using SQL Lite. A one way hash is 
generated for the validated PIN and is sent to server in public 
channel so that an active attacker cannot extract the PIN by 
monitoring the channel. Once got authenticated by server, the 
user can access to the services provided by mobile App. The 
services that are provided by mobile App are cash 
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